ID: IRCNE2012071564
Date: 2012-07-25
According to “ZDNet”, a new Mac OS X Trojan has been discovered that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and also does not need your user password to infect your Apple Mac. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions.
Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis."
This Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks.
If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent. With or without Admin permissions, this folder is created:
/Library/ScriptingAdditions/appleHID/
Only with Admin permissions, this folder is created:
/System/Library/Frameworks/Foundation.framework/XPCServices/
Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware."
Curiously, this particular malware only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion.
- 2